Forum Discussion
Need help in the lab - APT29 Threat Hunting with Splunk: Ep.11 – Demonstrate Your Skills
I am currently working through the APT29 Threat Hunting with Splunk: Ep.11 – Demonstrate Your Skills lab and would appreciate your assistance in reviewing or clarifying a few specific questions. Despite thorough log analysis and validation via Splunk queries, the following questions are not accepting what I believe to be correct answers:
Q10. A PowerShell script was initially executed to extract encoded data from an image file. What is the full ParentCommandLine field value used to execute this?
Q11. This PowerShell script was added to a registry key that was used to bypass user access control. What other value was set on the same key to facilitate this?
Q15. what was the name of the service created to obtain a means of persistence?
Q23. What is the name of the executable that's executed by the persistence mechanism placed in the Windows Startup folder?
2 Replies
- veryk
Bronze II
that's funny, I came here stuck on 16 looking for help. I can help you with 10, 11 and 15 though. Did you want to share what you think the answers are, me give you a hint, the answer?
- veryk
Bronze II
Ironically looking at 15 helped me to finally solve 16. I can also help you with 23 if you need as well.